Hackers Remotely Kill a Jeep on the Highway

With Me in It

by Andy Greenberg

Wired (July 21 2015)

I was driving seventy miles per hour on the edge of downtown Saint Louis when the exploit began to take hold.

Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.

As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits. A nice touch, I thought.

The Jeep’s strange behavior wasn’t entirely unexpected. I’d come to Saint Louis to be Miller and Valasek’s digital crash-test dummy, a willing subject on whom they could test the car-hacking research they’d been doing over the past year. The result of their work was a hacking technique – what the security industry calls a zero-day exploit – that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.

To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house ten miles west. Instead, they merely assured me that they wouldn’t do anything life-threatening. Then they told me to drive the Jeep onto the highway. “Remember, Andy”, Miller had said through my iPhone’s speaker just before I pulled onto the Interstate 64 on-ramp, “no matter what happens, don’t panic”. {1}

As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.

Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an eighteen-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.

“You’re doomed!” Valasek shouted, but I couldn’t make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.

I followed Miller’s advice: I didn’t panic. I did, however, drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop.

Wireless Carjackers

This wasn’t the first time Miller and Valasek had put me behind the wheel of a compromised car. In the summer of 2013, I drove a Ford Escape and a Toyota Prius around a South Bend, Indiana, parking lot while they sat in the backseat with their laptops, cackling as they disabled my brakes, honked the horn, jerked the seat belt, and commandeered the steering wheel. “When you lose faith that a car will do what you tell it to do”, Miller observed at the time, “it really changes your whole view of how the thing works”. Back then, however, their hacks had a comforting limitation: The attacker’s PC had been wired into the vehicles’ onboard diagnostic port, a feature that normally gives repair technicians access to information about the car’s electronically controlled systems.

A mere two years later, that carjacking has gone wireless. Miller and Valasek plan to publish a portion of their exploit on the Internet, timed to a talk they’re giving at the Black Hat security conference in Las Vegas next month. It’s the latest in a series of revelations from the two hackers that have spooked the automotive industry and even helped to inspire legislation; WIRED has learned that senators Ed Markey and Richard Blumenthal plan to introduce an automotive security bill today to set new digital security standards for cars and trucks, first sparked when Markey took note of Miller and Valasek’s work in 2013.

As an auto-hacking antidote, the bill couldn’t be timelier. The attack tools Miller and Valasek developed can remotely trigger more than the dashboard and transmission tricks they used against me on the highway. They demonstrated as much on the same day as my traumatic experience on I-64; after narrowly averting death by semi-trailer, I managed to roll the lame Jeep down an exit ramp, re-engaged the transmission by turning the ignition off and on, and found an empty lot where I could safely continue the experiment.

Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the two-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control – for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.

All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address to gain access from anywhere in the country. “From an attacker’s perspective, it’s a super nice vulnerability”, Miller says.

From that entry point, Miller and Valasek’s attack pivots to an adjacent chip in the car’s head unit – the hardware for its entertainment system – silently rewriting the chip’s firmware to plant their code. That rewritten firmware is capable of sending commands through the car’s internal computer network, known as a CAN bus, to its physical components like the engine and wheels. Miller and Valasek say the attack on the entertainment system seems to work on any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015. They’ve only tested their full set of physical hacks, including ones targeting transmission and braking systems, on a Jeep Cherokee, though they believe that most of their attacks could be tweaked to work on any Chrysler vehicle with the vulnerable Uconnect head unit. They have yet to try remotely hacking into other makes and models of cars.

After the researchers reveal the details of their work in Vegas, only two things will prevent their tool from enabling a wave of attacks on Jeeps around the world. First, they plan to leave out the part of the attack that rewrites the chip’s firmware; hackers following in their footsteps will have to reverse-engineer that element, a process that took Miller and Valasek months. But the code they publish will enable many of the dashboard hijinks they demonstrated on me as well as GPS tracking.
Second, Miller and Valasek have been sharing their research with Chrysler for nearly nine months, enabling the company to quietly release a patch ahead of the Black Hat conference. On July 16, owners of vehicles with the Uconnect feature were notified of the patch in a post on Chrysler’s website that didn’t offer any details or acknowledge Miller and Valasek’s research. “[Fiat Chrysler Automobiles] has a program in place to continuously test vehicles systems to identify vulnerabilities and develop solutions”, reads a statement a Chrysler spokesperson sent to WIRED. “FCA is committed to providing customers with the latest software updates to secure vehicles against any potential vulnerability”.

Unfortunately, Chrysler’s patch must be manually implemented via a USB stick or by a dealership mechanic. (Download the update here.) That means many – if not most – of the vulnerable Jeeps will likely stay vulnerable.

Chrysler stated in a response to questions from WIRED that it “appreciates” Miller and Valasek’s work. But the company also seemed leery of their decision to publish part of their exploit. “Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems”, the company’s statement reads. “We appreciate the contributions of cybersecurity advocates to augment the industry’s understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.”

The two researchers say that even if their code makes it easier for malicious hackers to attack unpatched Jeeps, the release is nonetheless warranted because it allows their work to be proven through peer review. It also sends a message: Automakers need to be held accountable for their vehicles’ digital security. “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers”, Miller says. “This might be the kind of software bug most likely to kill someone”.

In fact, Miller and Valasek aren’t the first to hack a car over the Internet. In 2011 a team of researchers from the University of Washington and the University of California at San Diego (“UCSD”) showed that they could wirelessly disable the locks and brakes on a sedan. But those academics took a more discreet approach, keeping the identity of the hacked car secret and sharing the details of the exploit only with carmakers.

Miller and Valasek represent the second act in a good-cop/bad-cop routine. Carmakers who failed to heed polite warnings in 2011 now face the possibility of a public dump of their vehicles’ security flaws. The result could be product recalls or even civil suits, says UCSD computer science professor Stefan Savage, who worked on the 2011 study. Earlier this month, in fact, Range Rover issued a recall to fix a software security flaw that could be used to unlock vehicles’ doors. “Imagine going up against a class-action lawyer after Anonymous decides it would be fun to brick all the Jeep Cherokees in California”, Savage says.

For the auto industry and its watchdogs, in other words, Miller and Valasek’s release may be the last warning before they see a full-blown zero-day attack. “The regulators and the industry can no longer count on the idea that exploit code won’t be in the wild”, Savage says. “They’ve been thinking it wasn’t an imminent danger you needed to deal with. That implicit assumption is now dead.”

471,000 Hackable Automobiles

Sitting on a leather couch in Miller’s living room as a summer storm thunders outside, the two researchers scan the Internet for victims.

Uconnect computers are linked to the Internet by Sprint’s cellular network, and only other Sprint devices can talk to them. So Miller has a cheap Kyocera Android phone connected to his battered MacBook. He’s using the burner phone as a Wi-Fi hot spot, scouring for targets using its thin 3G bandwidth.

A set of GPS coordinates, along with a vehicle identification number, make, model, and IP address, appears on the laptop screen. It’s a Dodge Ram. Miller plugs its GPS coordinates into Google Maps to reveal that it’s cruising down a highway in Texarkana, Texas. He keeps scanning, and the next vehicle to appear on his screen is a Jeep Cherokee driving around a highway cloverleaf between San Diego and Anaheim, California. Then he locates a Dodge Durango, moving along a rural road somewhere in the Upper Peninsula of Michigan. When I ask him to keep scanning, he hesitates. Seeing the actual, mapped locations of these unwitting strangers’ vehicles – and knowing that each one is vulnerable to their remote attack – unsettles him.

When Miller and Valasek first found the Uconnect flaw, they thought it might only enable attacks over a direct Wi-Fi link, confining its range to a few dozen yards. When they discovered the Uconnect’s cellular vulnerability earlier this summer, they still thought it might work only on vehicles on the same cell tower as their scanning phone, restricting the range of the attack to a few dozen miles. But they quickly found even that wasn’t the limit. “When I saw we could do it anywhere, over the Internet, I freaked out”, Valasek says. “I was frightened. It was like, holy fuck, that’s a vehicle on a highway in the middle of the country. Car hacking got real, right then.”

That moment was the culmination of almost three years of work. In the fall of 2012, Miller, a security researcher for Twitter and a former NSA hacker, and Valasek, the director of vehicle security research at the consultancy IOActive, were inspired by the UCSD and University of Washington study to apply for a car-hacking research grant from Darpa. With the resulting $80,000, they bought a Toyota Prius and a Ford Escape. They spent the next year tearing the vehicles apart digitally and physically, mapping out their electronic control units, or ECUs – the computers that run practically every component of a modern car – and learning to speak the CAN network protocol that controls them.

When they demonstrated a wired-in attack on those vehicles at the DefCon hacker conference in 2013, though, Toyota, Ford, and others in the automotive industry downplayed the significance of their work, pointing out that the hack had required physical access to the vehicles. Toyota, in particular, argued that its systems were “robust and secure” against wireless attacks. “We didn’t have the impact with the manufacturers that we wanted”, Miller says. To get their attention, they’d need to find a way to hack a vehicle remotely.

So the next year, they signed up for mechanic’s accounts on the websites of every major automaker and downloaded dozens of vehicles’ technical manuals and wiring diagrams. Using those specs, they rated 24 cars, SUVs, and trucks on three factors they thought might determine their vulnerability to hackers: How many and what types of radios connected the vehicle’s systems to the Internet; whether the Internet-connected computers were properly isolated from critical driving systems: and whether those critical systems had “cyberphysical” components – whether digital commands could trigger physical actions like turning the wheel or activating brakes.

Based on that study, they rated Jeep Cherokee the most hackable model. Cadillac’s Escalade and Infiniti’s Q50 didn’t fare much better; Miller and Valasek ranked them second- and third-most vulnerable. When WIRED told Infiniti that at least one of Miller and Valasek’s warnings had been borne out, the company responded in a statement that its engineers “look forward to the findings of this [new] study” and will “continue to integrate security features into our vehicles to protect against cyberattacks”. Cadillac emphasized in a written statement that the company has released a new Escalade since Miller and Valasek’s last study, but that cybersecurity is “an emerging area in which we are devoting more resources and tools”, including the recent hire of a chief product cybersecurity officer.

After Miller and Valasek decided to focus on the Jeep Cherokee in 2014, it took them another year of hunting for hackable bugs and reverse-engineering to prove their educated guess. It wasn’t until June that Valasek issued a command from his laptop in Pittsburgh and turned on the windshield wipers of the Jeep in Miller’s Saint Louis driveway.

Since then, Miller has scanned Sprint’s network multiple times for vulnerable vehicles and recorded their vehicle identification numbers. Plugging that data into an algorithm sometimes used for tagging and tracking wild animals to estimate their population size, he estimated that there are as many as 471,000 vehicles with vulnerable Uconnect systems on the road.

Pinpointing a vehicle belonging to a specific person isn’t easy. Miller and Valasek’s scans reveal random VINs, IP addresses, and GPS coordinates. Finding a particular victim’s vehicle out of thousands is unlikely through the slow and random probing of one Sprint-enabled phone. But enough phones scanning together, Miller says, could allow an individual to be found and targeted. Worse, he suggests, a skilled hacker could take over a group of Uconnect head units and use them to perform more scans – as with any collection of hijacked computers – worming from one dashboard to the next over Sprint’s network. The result would be a wirelessly controlled automotive botnet encompassing hundreds of thousands of vehicles.

“For all the critics in 2013 who said our work didn’t count because we were plugged into the dashboard”, Valasek says, “well, now what?”

Congress Takes on Car Hacking

Now the auto industry needs to do the unglamorous, ongoing work of actually protecting cars from hackers. And Washington may be about to force the issue.

Later today, senators Markey and Blumenthal intend to reveal new legislation designed to tighten cars’ protections against hackers. The bill (which a Markey spokesperson insists wasn’t timed to this story) will call on the National Highway Traffic Safety Administration and the Federal Trade Commission to set new security standards and create a privacy and security rating system for consumers. “Controlled demonstrations show how frightening it would be to have a hacker take over controls of a car”, Markey wrote in a statement to WIRED. “Drivers shouldn’t have to choose between being connected and being protected … We need clear rules of the road that protect cars from hackers and American families from data trackers”.

Markey has keenly followed Miller and Valasek’s research for years. Citing their 2013 Darpa-funded research and hacking demo, he sent a letter to twenty automakers, asking them to answer a series of questions about their security practices. The answers, released in February, show what Markey describes as “a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle”. Of the sixteen automakers who responded, all confirmed that virtually every vehicle they sell has some sort of wireless connection, including Bluetooth, Wi-Fi, cellular service, and radios. (Markey didn’t reveal the automakers’ individual responses.) Only seven of the companies said they hired independent security firms to test their vehicles’ digital security. Only two said their vehicles had monitoring systems that checked their CAN networks for malicious digital commands.

UCSD’s Savage says the lesson of Miller and Valasek’s research isn’t that Jeeps or any other vehicle are particularly vulnerable, but that practically any modern vehicle could be vulnerable. “I don’t think there are qualitative differences in security between vehicles today”, he says. “The Europeans are a little bit ahead. The Japanese are a little bit behind. But broadly writ, this is something everyone’s still getting their hands around.”

Aside from wireless hacks used by thieves to open car doors, only one malicious car-hacking attack has been documented: In 2010 a disgruntled employee in Austin, Texas, used a remote shutdown system meant for enforcing timely car payments to brick more than 100 vehicles. But the opportunities for real-world car hacking have only grown, as automakers add wireless connections to vehicles’ internal networks. Uconnect is just one of a dozen telematics systems, including GM Onstar, Lexus Enform, Toyota Safety Connect, Hyundai Bluelink, and Infiniti Connection.

In fact, automakers are thinking about their digital security more than ever before, says Josh Corman, the cofounder of I Am the Cavalry, a security industry organization devoted to protecting future Internet-of-things targets like automobiles and medical devices. Thanks to Markey’s letter, and another set of questions sent to automakers by the House Energy and Commerce Committee in May, Corman says, Detroit has known for months that car security regulations are coming.

But Corman cautions that the same automakers have been more focused on competing with each other to install new Internet-connected cellular services for entertainment, navigation, and safety. (Payments for those services also provide a nice monthly revenue stream.) The result is that the companies have an incentive to add Internet-enabled features – but not to secure them from digital attacks. “They’re getting worse faster than they’re getting better”, he says. “If it takes a year to introduce a new hackable feature, then it takes them four to five years to protect it”.

Corman’s group has been visiting auto industry events to push five recommendations: safer design to reduce attack points, third-party testing, internal monitoring systems, segmented architecture to limit the damage from any successful penetration, and the same Internet-enabled security software updates that PCs now receive. The last of those in particular is already catching on; Ford announced a switch to over-the-air updates in March, and BMW used wireless updates to patch a hackable security flaw in door locks in January.

Corman says carmakers need to befriend hackers who expose flaws, rather than fear or antagonize them – just as companies like Microsoft have evolved from threatening hackers with lawsuits to inviting them to security conferences and paying them “bug bounties” for disclosing security vulnerabilities. For tech companies, Corman says, “that enlightenment took fifteen to twenty years”. The auto industry can’t afford to take that long. “Given that my car can hurt me and my family”, he says, “I want to see that enlightenment happen in three to five years, especially since the consequences for failure are flesh and blood”.

As I drove the Jeep back toward Miller’s house from downtown Saint Louis, however, the notion of car hacking hardly seemed like a threat that will wait three to five years to emerge. In fact, it seemed more like a matter of seconds; I felt the vehicle’s vulnerability, the nagging possibility that Miller and Valasek could cut the puppet’s strings again at any time.

The hackers holding the scissors agree. “We shut down your engine – a big rig was honking up on you because of something we did on our couch”, Miller says, as if I needed the reminder. “This is what everyone who thinks about car security has worried about for years. This is a reality.”

Links: The original version of this article, at the URL below, contains links to further information not included here.

Update 3:30 7/24/2015: Chrysler has issued a recall for 1.4 million vehicles as a result of Miller and Valasek’s research. The company has also blocked their wireless attack on Sprint’s network to protect vehicles with the vulnerable software.

{1} Correction 10:45 7/21/2015: An earlier version of the story stated that the hacking demonstration took place on Interstate 40, when in fact it was Route 40, which coincides in Saint Louis with Interstate 64.

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

Categories: Uncategorized

Frontline of the Battle is Not Tanks or Planes …

… It’s Cyberwarfare

People underestimate what cyberwarfare can do, but as the infrastructure of all our countries is run over the internet now, an attack on them could make society collapse within days, says Annie Machon, former MI5 agent.

RT.com / Op-Edge (July 24 2015)

Annie Machon is a former intel­li­gence officer for MI5, the UK Secur­ity Ser­vice, who resigned in the late 1990s to blow the whistle on the spies’ incom­pet­ence and crimes with her ex-partner, David Shayler. Draw­ing on her var­ied exper­iences, she is now a pub­lic speaker, writer, media pun­dit, inter­na­tional tour and event organ­iser, polit­ical cam­paigner, and PR con­sult­ant. She is also now the Dir­ector of LEAP, Europe. She has a rare per­spect­ive both on the inner work­ings of gov­ern­ments, intel­li­gence agen­cies and the media, as well as the wider implic­a­tions for the need for increased open­ness and account­ab­il­ity in both pub­lic and private sectors.

Germany passed legislation which requires over 2,000 essential service providers to implement new minimum information security standards. If they fail to do so within two years they are going to face fines of up to 100,000 euros.

READ MORE: http://www.rt.com/news/273058-german-cyber-security-law/

RT: Germany seems to be focusing on offense as much as defense, when it comes to improving their cyber capabilities. Who and what do you think they want to attack?

Annie Machon: I think that is very interesting question: who do you want to attack with the cyberwarfare capabilities? Who precisely is the enemy these days? We know from the Snowden disclosures that Germany itself has been attacked aggressively by the NSA and GCHQ. We know from the Snowden disclosures that Germany itself has been aggressively targeting, attacking and intercepting the communications of its so-called European allies. So, whom precisely are they targeting now and why the army is getting involved as well as the [German foreign intelligence agency] BND [Bundesnachrichtendienst]?

RT: Defense is also highlighted as an important element in the new cyber plan for 2016. How much of this do you think is aimed at Germany’s own allies, the NSA, known now to spy on a host of politicians in Germany?

AM: I think the frontline of the battle these days now is not tanks, is not planes, it is cyberwarfare. Germany is certainly seems to be very willing to be complicit in working with the NSA to wage that war. I’m sure that it is pointing eastwards as well. It is a difficult one to try and predict …

RT: Do you think we’re coming to a time when conventional warfare operations will be used as a supplement to cyber wars, as opposed to the other way around?

AM: I think both will still have a role. However, I think most people underestimate the scope of what cyberwarfare can do. Infrastructure of all our countries is run over the internet now. It’s run by computers, be it electricity, be it the traffic signal control, be it train systems – wherever it is: banking, encryption – everything is dependent on cyber issues. So if you start waging cyberwarfare against the infrastructure of a nation state, then the whole nation state could collapse within a few days. If those basic levels of control, those basic levels of enablement for the society are taken away, then society will begin to collapse very quickly particularly in cities. I think this is very effective way of waging warfare if they chose to do it. The follow-up would then be with more conventional ways.

RT: Would you say Germany is developing with the times here, or are they behind the curve in terms of cyberwarfare, how do they measure up to say, the US?

AM: … I’m sure they’ve been catching up for years. And that is partly where their dependence on the NSA technical capabilities has evolved from – they needed that to play catch up with the rest of the world. However I think they are very much in the field now. From what I’ve seen, the collusion with the NSA, they are very much part of the certain camp – to wage warfare against the rest of the world in the cyber realm.

RT: When it comes to conventional war –  every government has an absolute advantage over regular people in terms of capability but it’s not necessarily the case in cyber space, as you need just a computer and the internet and knowledge of network protocols et cetera. Do you think we will see any hacker groups taking advantage of this and become more prominent players on the global stage?

AM: I think hacktivist groups are already taking a foot on the stage when it comes to this sort of warfare. We saw this only a couple of weeks ago with the story that German missiles placed in Turkey had been hacked, because they were US designed missiles with US designed software which of course is open to hacking, it has back doors. So this is going to come more, more prominent. And it is bit of sort of David and Goliath type asymmetrical information warfare. I think this is going to become more obvious, more prominent, not just with hacktivist groups but also with smaller countries which don’t necessarily have the military hardware to fight a conventional war. But they can push back against big countries with that hardware, and attack that software which runs their weapons. So it is asymmetric warfare, and I think it is going to become more predominant over the next decade or so.

_____

The statements, views and opinions expressed in this column are solely those of the author and do not necessarily represent those of RT.

http://www.rt.com/op-edge/310691-cyber-security-germany-legislation/

Categories: Uncategorized

Car Hacked

Cyber-criminals could target driverless vehicles, cause chaos

Driverless vehicles will require tough protection from hackers attempting to hijack them and create chaos on Britain’s roads, cyber security experts warn.

RT.com (November 21 2014)

Autonomous cars, such as Google’s self-driving vehicle, could curb road deaths by ruling out the dangers of common human errors. But the reliability and security of software that underpins the technology is likely to be a serious concern for insurers and manufacturers in years to come.

Hugh Boyes, a leading cybersecurity expert at Britain’s Institution of Engineering and Technology (IET), warns that hackers targeting driverless vehicles in the future could create chaos.

“The motor industry is really strong on safety but if someone tries to interfere with the vehicle, tries to hack it and disrupt it, then these don’t fall under the typical safety issues”, he told The Guardian.

Unfortunately living in the world today, people do try to tamper with technology. The industry is only just starting to recognise this.

Boyes warned the software underpinning driverless vehicles would have to be free of bugs and be utterly reliable.

Recent reports analysing software show that 98 percent of applications have serious defects and in many cases there were ten to fifteen defects per application.

Driverless vehicles also hold the potential to bolster the risk of accidents amongst drivers who continue to travel in manual vehicles if they journey on the same roads, recent research reveals.

Research conducted in driving simulators indicates that regular human drivers alter their behaviour when travelling alongside driverless cars by emulating autonomous vehicles’ style of driving and allowing less space between their own vehicle and those in front of them.

This trend increases the risk of an accident because driverless vehicles are equipped with specially fitted sensors which thwart accidents, while human responses are considerably slower.

These findings coincide with a separate report that explores how driverless cars can be best introduced to UK roads. The research forecasts Britain will be populated with autonomous vehicles carrying goods and citizens around the nation by 2030, resulting in less costly and less risky passenger mobility.

It’s also predicts driver-free cars could encourage troves of people to move to the countryside as the new technology will allow more individuals to travel around rural areas without possessing driving skills.

Equally, driverless car technology is expected to be highly beneficial for elderly people who have retired to rural areas but are no longer able to drive.

Dr Nick Reed, a leading human factors researcher at the Transport Research Laboratory in Berkshire, told The Guardian on Friday that 95 percent of the world’s 1.2 million annual road deaths are related to human error.

He warned, however, that the integration of human drivers and driverless vehicles on roads across the globe could present very serious problems.

Britain’s business secretary, Vince Cable, announced earlier this year that trials of driverless vehicles on UK roads will begin in January.

http://www.rt.com/uk/207739-hacker-car-driverless-accidents/

Categories: Uncategorized

Picked Out a Coffin Yet?

Take Ibuprofen and Die

by Mike Whitney

CounterPunch (July 24 2015)

Today we know that the risk of heart attack and stroke may occur early in treatment, even in the first weeks …  “There is no period of use shown to be without risk”, says Judy Racoosin, MD, MPH, deputy director of FDA’s Division of Anesthesia, Analgesia, and Addiction Products. {1}

In case you missed it: The FDA has just issued a warning on various prescription and non-prescription drugs that Americans ingest by the boatload. As it happens, these seemingly benign pain relievers can kill you even if you scrupulously follow the recommended dosage. But don’t take my word for it. Here’s a blurb from the FDA website:

FDA is strengthening an existing warning in prescription drug labels and over-the-counter (OTC) Drug Facts labels to indicate that nonsteroidal anti-inflammatory drugs (NSAIDs) can increase the chance of a heart attack or stroke, either of which can lead to death. Those serious side effects can occur as early as the first few weeks of using an NSAID, and the risk might rise the longer people take NSAIDs. {2}

Notice how the FDA refers to “death” as “a serious side effect”. How’s that for an understatement? Here’s more from the FDA warning:

The OTC drugs in this group are used for the temporary relief of pain and fever. The prescription drugs in this group are used to treat several kinds of arthritis and other painful conditions. Because many prescription and OTC medicines contain NSAIDs, consumers should avoid taking multiple remedies with the same active ingredient.

The New York Times includes “Motrin IB, Aleve and Celebrex” in this group of “widely used painkillers”.

Why isn’t this headline news? People take tons of these chemicals everyday thinking they’ve been thoroughly tested and are totally safe. Now we find out that’s not the case. Now we discover that you can get a heart attack or stroke “as early as the first few weeks of using” them. Doesn’t that come as a bit of a shock to you, dear reader? Doesn’t that make you suspect that the FDA is not telling the whole truth here, but is simply covering up for a profit-obsessed industry that doesn’t give a rip about its customers health?

Take a look at some of these articles I dredged up on Google News on the topic:

“Doctors issue Ibuprofen toxicity warning”. Daily Telegraph.

“Warning: Runners May Be At Risk From Ibuprofen Use”. Australian Marathon Review.

“Ibuprofen ‘trebles the risk of a stroke’ doctors warn”, Daily Mail Online.

“Ibuprofen Side Effects Land Thousands in the Hospital”, Side-Effects. com.

“The FDA’s Dilemma about Ibuprofen and Cardiovascular Risk”, Forbes.

“Ibuprofen Blunts Aspirin’s Cardioprotection. FDA Issues Warning”, lexi.com.

“Aspirin, Ibuprofen Warnings Advised-Health: Consumers need to be told the painkillers can cause internal bleeding and kidney damage, a panel tells the FDA”, Los Angeles Times.

And how reliable is FDA in determining the toxicity of these medications anyway? Wasn’t the so-called “watchdog” agency implicated in pay-to-play flap just a couple years ago? Some readers might recall another incident when the FDA was caught in a “spying program on its own scientists, lawmakers, reporters and academics” to “discourage whistleblowing”. According to Truthout’s Martha Rosenberg:

… top FDA managers “committed the most outrageous misconduct by ordering, coercing and intimidating FDA physicians and scientists to recommend approval, and then retaliating when the physicians and scientists refused to go along”. Review procedures at the agency (which approves stents, breast implants, MRIs, and other devices and machinery) were so faulty that unsafe devices – including those that emit excessive radiation – were approved, charged the scientists, provoking an OSC investigation … For reporting the safety risks, the scientists became targets of the now-disclosed spy program and some lost their jobs …

(According to FDA drug reviewer Ronald Kavanagh) “While I was at FDA, drug reviewers were clearly told not to question drug companies and that our job was to approve drugs. We were prevented, except in rare instances, from presenting findings at advisory committees. In 2007, formal policies were instituted so that speaking in any way that could reflect poorly on the agency could result in termination. If we asked questions that could delay or prevent a drug’s approval – which of course was our job as drug reviewers – management would reprimand us, reassign us, hold secret meetings about us, and worse. Obviously in such an environment, people will self-censor.” {3}

Nice, eh? And this is the agency that’s supposed to protect the public from risky drugs?

Right. Does the name “Vioxx” ring a bell? If not, here’s a little refresher from an article by Fred Gardener in Counterpunch titled “Merck Pays a Pittance for Mass Deaths”:

“Merck has agreed to pay $950 million and has pleaded guilty to a criminal charge over the marketing and sales of the painkiller Vioxx”,The New York Times reported November 23 …

The FDA had initially approved Vioxx (after a hasty “priority review”) in May, 1999 to treat osteoarthritis, acute pain, and menstrual cramps. By September 30 2004, when Merck announced its “voluntary recall”, some 25 million Americans had been prescribed the widely hyped drug. Evidence that using Vioxx doubled a patient’s risk of suffering a heart attack or stroke  – based on a review of 1.4 million patients’ records –  was about to be published in Lancet by David Graham, MD, an FDA investigator. The FDA director’s office, devoted valet of Big PhRMA, had contacted the Lancet in a futile effort to stop publication of their own scientist’s findings.

Graham’s data indicate that 140,000 Americans suffered Vioxx-induced heart attacks and strokes; 55,000 died, and many more were permanently disabled. The Merck executives’ real crime was conspiracy to commit murder … An early clinical trial had alerted them to the fact that Vioxx caused coronary damage. Their response was to exclude from future trials anyone with a history of heart trouble!

Once Vioxx was approved, Merck spent more than $100 million a year advertising it … Sales hit $2.5 billion in 2003. And when brave Dr Graham first presented his irrefragable evidence to an FDA advisory committee in February 2004, Merck argued that the “unique benefits” of Vioxx warranted its remaining on the market. The FDA committee voted 17-15 to keep it available with a black box warning. Ten of the 32 committee members had taken money from Merck, Pfizer or Novartis (which were pushing drugs similar to Vioxx) as consultants. If these MDs had declared their conflicts of interest, Vioxx would have been pulled from the market by a vote of 14-8. By buying an extra seven and a half months, Merck made an extra billion or two, and killed 6,000 more Americans.

Worldwide, Vioxx was used by eighty million people. Assuming their dosages were similar to the 1.4 million Kaiser Permanente patients whose records Dr Graham analyzed, the death toll exceeds 165,000. {4}

Is that what’s going on? Is some prestigious organization like Lancet about to release a damning report on these dubious pain relievers, so the FDA is trying to get ahead of the story to save their own kiester? How much has the culture at the FDA really changed since the Vioxx scandal? Is the agency still owned and operated by the industries its supposed to regulate?

Do you really need to ask? The better question would be: What regulatory agency in the US ISN’T owned corporate America? They own it all; lock, stock and barrel.

And, keep in mind, (according to Gardner) Vioxx killed over 165,000 people.

Now guess how many Merck executives went to jail?

Yep. Zero.

I’m not saying these medications don’t help to relieve chronic pain from “debilitating conditions, including osteoarthritis, rheumatoid arthritis‎, gout and other rheumatological and painful conditions”. They do. But whether they’re useful or not doesn’t change the fact that “even small amounts” of this crap can put you at risk of a heart attack or stroke. That’s what the public needs to know, and that’s the FDA’s job. Here’s an excerpt from an article in The New York Times that tries to minimize the dangers:

The broader context is important. The relative risk of heart attack and stroke from the drugs is still far smaller than the risk from smoking, having uncontrolled high blood pressure or being obese. {5}

True, and it’s probably less risky that bungee-jumping off the Empire State Building, but what difference does that make. The fact is, it can kill you, the FDA KNOWS it can kill you, and yet they haven’t done anything to counter the relentless tsunami of industry generated propaganda that has convinced the American people that these medications are risk free. Here’s more on that from the Times:

The agency said it would ask drug manufacturers to change the labels to reflect new evidence that the drugs increased the risk of heart attack and stroke soon after patients first started taking them, and that while the risk was higher for people with heart disease, it surfaced even for people who had never had heart problems. {5}

Let me get this straight: The FDA knows that these anti inflammatories are killing people and they’re going to “ask” the drug companies if they’ll change the labels? Is this how regulation works in the US nowadays; the agencies basically have to grovel before these cutthroat industries just to get them to do the right thing?

I have a better idea: Why not just prosecute a few of these drug-pushing executives for manslaughter?

That ought to do the trick, don’t you think?

Here’s one last blurb from the Times:

“There is great concern that people think these drugs are benign, and they are probably not”, (said Dr Peter Wilson, a professor of medicine and public health at Emory University in Atlanta) “The thought is these are good for short-term relief, probably for your younger person with no history of cardiovascular trouble”. {5}

There it is from the horses mouth. Do not presume that these medications are safe just because they’re hyped in the media. Do your own research and decide for yourself whether the benefits outweigh the risks.

Links:

{1} http://www.fda.gov/ForConsumers/ConsumerUpdates/ucm453610.htm

{2} http://www.fda.gov/ForConsumers/ConsumerUpdates/ucm453610.htm

{3} http://www.truth-out.org/news/item/10524-former-fda-reviewer-speaks-out-about-intimidation-retaliation-and-marginalizing-of-safety

{4} http://www.counterpunch.org/2011/11/29/merck-pays-a-pittance-for-mass-murder/

{5} http://www.nytimes.com/2015/07/14/science/experts-urge-sparing-use-of-nonaspirin-painkillers.html?_r=1

http://www.counterpunch.org/2015/07/24/picked-out-a-coffin-yet-take-ibuprofen-and-die/

Categories: Uncategorized

The Cimmerian Hypothesis, Part One

Civilization and Barbarism

by John Michael Greer

The Archdruid Report (July 15 2015)

One of the oddities of the writer’s life is the utter unpredictability of inspiration. There are times when I sit down at the keyboard knowing what I have to write, and plod my way though the day’s allotment of prose in much the same spirit that a gardener turns the earth in the beds of a big garden; there are times when a project sits there grumbling to itself and has to be coaxed or prodded into taking shape on the page; but there are also times when something grabs hold of me, drags me kicking and screaming to the keyboard, and holds me there with a squamous paw clamped on my shoulder until I’ve finished whatever it is that I’ve suddenly found out that I have to write.

Over the last two months, I’ve had that last experience on a considerably larger scale than usual; to be precise, I’ve just completed the first draft of a 70,000-word novel in eight weeks. Those of my readers and correspondents who’ve been wondering why I’ve been slower than usual to respond to them now know the reason. The working title is Moon Path to Innsmouth; it deals, in the sidelong way for which fiction is so well suited, with quite a number of the issues discussed on this blog; I’m pleased to say that I’ve lined up a publisher, and so in due time the novel will be available to delight the rugose hearts of the Great Old Ones and their eldritch minions everywhere.

None of that would be relevant to the theme of the current series of posts on The Archdruid Report, except that getting the thing written required quite a bit of reference to the weird tales of an earlier era – the writings of H P Lovecraft, of course, but also those of Clark Ashton Smith and Robert E Howard, who both contributed mightily to the fictive mythos that took its name from Lovecraft’s squid-faced devil-god Cthulhu. One Howard story leads to another – or at least it does if you spent your impressionable youth stewing your imagination in a bubbling cauldron of classic fantasy fiction, as I did – and that’s how it happened that I ended up revisiting the final lines of “Beyond the Black River”, part of the saga of Conan of Cimmeria, Howard’s iconic hero:

‘Barbarism is the natural state of mankind’, the borderer said, still staring somberly at the Cimmerian. ‘Civilization is unnatural. It is a whim of circumstance. And barbarism must always ultimately triumph.’

It’s easy to take that as nothing more than a bit of bluster meant to add color to an adventure story – easy but, I’d suggest, inaccurate. Science fiction has made much of its claim to be a “literature of ideas”, but a strong case can be made that the weird tale as developed by Lovecraft, Smith, Howard, and their peers has at least as much claim to the same label, and the ideas that feature in a classic weird tale are often a good deal more challenging than those that are the stock in trade of most science fiction: “gee, what happens if I extrapolate this technological trend a little further?” and the like. The authors who published with Weird Tales back in the day, in particular, liked to pose edgy questions about the way that the posturings of our species and its contemporary cultures appeared in the cold light of a cosmos that’s wholly uninterested in our overblown opinion of ourselves.

Thus I think it’s worth giving Conan and his fellow barbarians their due, and treating what we may as well call the Cimmerian hypothesis as a serious proposal about the underlying structure of human history. Let’s start with some basics. What is civilization? What is barbarism? What exactly does it mean to describe one state of human society as natural and another unnatural, and how does that relate to the repeated triumph of barbarism at the end of every civilization?

The word “civilization” has a galaxy of meanings, most of them irrelevant to the present purpose. We can take the original meaning of the word – in late Latin, civilisatio – as a workable starting point; it means “having or establishing settled communities.” A people known to the Romans was civilized if its members lived in civitates, cities or towns. We can generalize this further, and say that a civilization is a form of society in which people live in artificial environments. Is there more to civilization than that? Of course there is, but as I hope to show, most of it unfolds from the distinction just traced out.

A city, after all, is a human environment from which the ordinary workings of nature have been excluded, to as great an extent as the available technology permits. When you go outdoors in a city, nearly all the things you encounter have been put there by human beings; even the trees are where they are because someone decided to put them there, not by way of the normal processes by which trees reproduce their kind and disperse their seeds. Those natural phenomena that do manage to elbow their way into an urban environment – tropical storms, rats, and the like – are interlopers, and treated as such. The gradient between urban and rural settlements can be measured precisely by what fraction of the things that residents encounter is put there by human action, as compared to the fraction that was put there by ordinary natural processes.

What is barbarism? The root meaning here is a good deal less helpful. The Greek word βαρβαροι, barbaroi, originally meant “people who say ‘bar bar bar'” instead of talking intelligibly in Greek. In Roman times that usage got bent around to mean “people outside the Empire”, and thus in due time to “tribes who are too savage to speak Latin, live in cities, or give up without a fight when we decide to steal their land”. Fast forward a century or two, and that definition morphed uncomfortably into “tribes who are too savage to speak Latin, live in cities, or stay peacefully on their side of the border”  – enter Alaric’s Visigoths, Genseric’s Vandals, and the ebullient multiethnic horde that marched westwards under the banners of Attila the Hun.

This is also where Conan enters the picture. In crafting his fictional Hyborian Age, which was vaguely located in time betwen the sinking of Atlantis and the beginning of recorded history, Howard borrowed freely from various corners of the past, but the Roman experience was an important ingredient – the story cited above, framed by a struggle between the kingdom of Aquilonia and the wild Pictish tribes beyond the Black River, drew noticeably on Roman Britain, though it also took elements from the Old West and elsewhere. The entire concept of a barbarian hero swaggering his way south into the lands of civilization, which Howard introduced to fantasy fiction (and which has been so freely and ineptly plagiarized since his time), has its roots in the late Roman and post-Roman experience, a time when a great many enterprising warriors did just that, and when some, like Conan, became kings.

What sets barbarian societies apart from civilized ones is precisely that a much smaller fraction of the environment barbarians encounter results from human action. When you go outdoors in Cimmeria – if you’re not outdoors to start with, which you probably are – nearly everything you encounter has been put there by nature. There are no towns of any size, just scattered clusters of dwellings in the midst of a mostly unaltered environment. Where your Aquilonian town dweller who steps outside may have to look hard to see anything that was put there by nature, your Cimmerian who shoulders his battle-ax and goes for a stroll may have to look hard to see anything that was put there by human beings.

What’s more, there’s a difference in what we might usefully call the transparency of human constructions. In Cimmeria, if you do manage to get in out of the weather, the stones and timbers of the hovel where you’ve taken shelter are recognizable lumps of rock and pieces of tree; your hosts smell like the pheromone-laden social primates they are; and when their barbarian generosity inspires them to serve you a feast, they send someone out to shoot a deer, hack it into gobbets, and cook the result in some relatively simple manner that leaves no doubt in anyone’s mind that you’re all chewing on parts of a dead animal. Follow Conan’s route down into the cities of Aquilonia, and you’re in a different world, where paint and plaster, soap and perfume, and fancy cookery, among many other things, obscure nature’s contributions to the human world.

So that’s our first set of distinctions. What makes human societies natural or unnatural? It’s all too easy  to sink into a festering swamp of unsubstantiated presuppositions here, since people in every human society think of their own ways of doing things as natural and normal, and everyone else’s ways of doing the same things as unnatural and abnormal. Worse, there’s the pervasive bad habit in industrial Western cultures of lumping all non-Western cultures with relatively simple technologies together as “primitive man” – as though there’s only one of him, sitting there in a feathered war bonnet and a lionskin kilt playing the didgeridoo – in order to flatten out human history into an imaginary straight line of progress that leads from the caves, through us, to the stars.

In point of anthropological fact, the notion of “primitive man” as an allegedly unspoiled child of nature is pure hokum, and generally racist hokum at that. “Primitive” cultures – that is to say, human societies that rely on relatively simple technological suites – differ from one another just as dramatically as they differ from modern Western industrial societies; nor do simpler technological suites correlate with simpler cultural forms. Traditional Australian aboriginal societies, which have extremely simple material technologies, are considered by many anthropologists to have among the most intricate cultures known anywhere, embracing stunningly elaborate systems of knowledge in which cosmology, myth, environmental knowledge, social custom, and scores of other fields normally kept separate in our society are woven together into dizzyingly complex tapestries of knowledge.

What’s more, those tapestries of knowledge have changed and evolved over time. The hokum that underlies that label “primitive man” presupposes, among other things, that societies that use relatively simple technological suites have all been stuck in some kind of time warp since the Neolithic – think of the common habit of speech that claims that hunter-gatherer tribes are “still in the Stone Age” and so forth. Back of that habit of speech is the industrial world’s irrational conviction that all human history is an inevitable march of progress that leads straight to our kind of society, technology, and so forth. That other human societies might evolve in different directions and find their own wholly valid ways of making a home in the universe is anathema to most people in the industrial world these days – even though all the evidence suggests that this way of looking at the history of human culture makes far more sense of the data than does the fantasy of inevitable linear progress toward us.

Thus traditional tribal societies are no more natural than civilizations are, in one important sense of the word “natural;” that is, tribal societies are as complex, abstract, unique, and historically contingent as civilizations are. There is, however, one kind of human society that doesn’t share these characteristics – a kind of society that tends to be intellectually and culturally as well as technologically simpler than most, and that recurs in astonishingly similar forms around the world and across time. We’ve talked about it at quite some length in this blog {1}; it’s the distinctive dark age society that emerges in the ruins of every fallen civilization after the barbarian war leaders settle down to become petty kings, the survivors of the civilization’s once-vast population get to work eking out a bare subsistence from the depleted topsoil, and most of the heritage of the wrecked past goes into history’s dumpster.

If there’s such a thing as a natural human society, the basic dark age society is probably it, since it emerges when the complex, abstract, unique, and historically contingent cultures of the former civilization and its hostile neighbors have both imploded, and the survivors of the collapse have to put something together in a hurry with nothing but raw human relationships and the constraints of the natural world to guide them. Of course once things settle down the new society begins moving off in its own complex, abstract, unique, and historically contingent direction; the dark age societies of post-Mycenean Greece, post-Roman Britain, post-Heian Japan, and their many equivalents have massive similarities, but the new societies that emerged from those cauldrons of cultural rebirth had much less in common with one another than their forbears did.

In Howard’s fictive history, the era of Conan came well before the collapse of Hyborian civilization; he was not himself a dark age warlord, though he doubtless would have done well in that setting. The Pictish tribes whose activities on the Aquilonian frontier inspired the quotation cited earlier in this post weren’t a dark age society, either, though if they’d actually existed, they’d have been well along the arc of transformation that turns the hostile neighbors of a declining civilization into the breeding ground of the warbands that show up on cue to finish things off. The Picts of Howard’s tale, though, were certainly barbarians – that is, they didn’t speak Aquilonian, live in cities, or stay peaceably on their side of the Black River – and they were still around long after the Hyborian civilizations were gone.

That’s one of the details Howard borrowed from history. By and large, human societies that don’t have urban centers tend to last much longer than those that do. In particular, human societies that don’t have urban centers don’t tend to go through the distinctive cycle of decline and fall ending in a dark age that urbanized societies undergo so predictably. There are plenty of factors that might plausibly drive this difference, many of which have been discussed here and elsewhere, but I’ve come to suspect something subtler may be at work here as well. As we’ve seen, a core difference between civilizations and other human societies is that people in civilizations tend to cut themselves off from the immediate experience of nature nature to a much greater extent than the uncivilized do. Does this help explain why civilizations crash and burn so reliably, leaving the barbarians to play drinking games with mead while sitting unsteadily on the smoldering ruins?

As it happens, I think it does.

As we’ve discussed at length in the last three weekly posts here, human intelligence is not the sort of protean, world-transforming superpower with limitless potential it’s been labeled by the more overenthusiastic partisans of human exceptionalism. Rather, it’s an interesting capacity possessed by one species of social primates, and quite possibly shared by some other animal species as well. Like every other biological capacity, it evolved through a process of adaptation to the environment – not, please note, to some abstract concept of the environment, but to the specific stimuli and responses that a social primate gets from the African savanna and its inhabitants, including but not limited to other social primates of the same species. It’s indicative that when our species originally spread out of Africa, it seems to have settled first in those parts of the Old World that had roughly savanna-like ecosystems, and only later worked out the bugs of living in such radically different environments as boreal forests, tropical jungles, and the like.

The interplay between the human brain and the natural environment is considerably more significant than has often been realized. For the last forty years or so, a scholarly discipline called ecopsychology has explored some of the ways that interactions with nature shape the human mind. More recently, in response to the frantic attempts of American parents to isolate their children from a galaxy of largely imaginary risks, psychologists have begun to talk about “nature deficit disorder”, the set of emotional and intellectual dysfunctions that show up reliably in children who have been deprived of the normal human experience of growing up in intimate contact with the natural world.

All of this should have been obvious from first principles. Studies of human and animal behavior alike have shown repeatedly that psychological health depends on receiving certain highly specific stimuli at certain stages in the maturation process. The famous experiments by Henry Harlow, who showed that monkeys raised with a mother-substitute wrapped in terrycloth grew up more or less normal, while those raised with a bare metal mother-substitute turned out psychotic even when all their other needs were met, are among the more famous of these, but there have been many more, and many of them can be shown to affect human capacities in direct and demonstrable ways. Children learn language, for example, only if they’re exposed to speech during a certain age window; lacking the right stimulus at the right time, the capacity to use language shuts down and apparently can’t be restarted again.

In this latter example, exposure to speech is what’s known as a triggering stimulus – something from outside the organism that kickstarts a process that’s already hardwired into the organism, but will not get under way until and unless the trigger appears. There are other kinds of stimuli that play different roles in human and animal development. The maturation of the human mind, in fact, might best be seen as a process in which inputs from the environment play a galaxy of roles, some of them of critical importance. What happens when the natural inputs that were around when human intelligence evolved get shut out of the experiences of maturing humans, and replaced by a very different set of inputs put there by human beings? We’ll discuss that next week, in the second part of this post.

_____

John Michael Greer is the Grand Archdruid of the Ancient Order of Druids in America {2} and the author of more than thirty books on a wide range of subjects, including peak oil and the future of industrial society. He lives in Cumberland, Maryland, an old red brick mill town in the north central Appalachians, with his wife Sara.

Links:

{1} http://thearchdruidreport.blogspot.com/2014/07/bright-were-halls-then.html

{2} http://www.aoda.org

http://thearchdruidreport.blogspot.jp/2015/07/the-cimmerian-hypothesis-part-one.html

Categories: Uncategorized

Automakers Stumped

Report Says Hackers Can Hijack Almost Any Car

RT.com (February 09 2015)

Almost all automobiles sold today contain systems that can potentially be compromised by hackers, a United States Senator warns, but automakers appear largely unaware of the implications, according to his report.

Senator Ed Markey (Democrat, Massachusetts) is calling on the world’s automobile makers to implement mandatory safeguards after his congressional inquiry revealed a widespread absence of security and privacy protection with regards to cars currently being sold around the world.

Security that could curb hacking against automobiles or allow sensitive information to be compromised must be put in place by the auto industry, Markey’s office warns in the report {1} published Monday, and current protection, when it’s brought to bear, is largely inconsistent.

The report warns modern automobiles are increasingly collecting sensitive information about personal driving habits and history, which is often held indefinitely and then offered to third-parties, in turn allowing companies the ability to keep detailed information about not just car performance, but also where a driver has traveled.

“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected”, Senator Markey, a member of the Commerce, Science and Transportation Committee, said in a statement {2} on Monday. “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers”.

Markey’s team considered studies by the Pentagon’s Defense Advanced Research Projects Agency (DARPA) in 2013 and 2014 in preparing the report, and sent questionnaires to twenty automakers inquiring about each manufacturer’s technology, security precautions and privacy policies.

Only sixteen of the automakers responded, according to this week’s report, but their answers were enough to leave Senator Markey’s office issuing a plea for car companies to increase security measures concerning the cars’ increasingly advanced technologies and privacy protections for the data it records.

“These findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle, or against those who may wish to collect and use personal driver information”, a portion of the report reads.

According to Senator Markey’s office, the answers supplied by automakers suggested that nearly 100 percent of cars currently on sale include wireless technology that pose hacking vulnerabilities or privacy intrusions, yet most manufacturers were unaware of previous incidents in which critical components of certain cars were completely compromised by malicious hackers.

“Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most say they rely on technologies that cannot be used for this purpose at all”, the report found.

“Look how many of the last year’s recalls related to electronic issues … it’s not going to be that far along  –  whole generations of vehicles  –  that could be vulnerable … it’s not sci-fi”, Sean Kane, president of the Massachusetts-based Safety Research and Strategies, told The Detroit News {3}.

Even the latest models available for sale, Kane told the paper, use imperfect technology that can be exploited and become a “wide open door” to hackers.

Additionally, the ever-increasing collection of car data raised concerns in the senator’s office. Half of all cars sold today transmit and store data off-board, the report found, yet largely absent are safeguards or sound privacy practices to keep that information from ending up in unintended hands.

“Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation”, his office determined.

If data collection is not disabled, the report warns, third-party companies can obtain that information and potentially use it for any reason of their choosing.

Two major automobile coalitions, the Alliance of Automobile Manufacturers and the Association of Global Automakers, recently adopted voluntary privacy principles in order to keep sensitive information from wrongly being used. According to the report, though, this effort “provides little tangible assurances that consumers will not disapprove of the ways in which manufacturers use their sensitive information”.

Gordon Trowbridge, a spokesperson for the National Highway Traffic Safety Administration, told The Detroit News that regulators will consider recommendations for enhanced protections as they remain “engaged in an intensive effort to determine potential security vulnerabilities related to new technologies”.

Links:

{1} http://www.markey.senate.gov/imo/media/doc/2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf

{2} http://www.markey.senate.gov/news/press-releases/markey-report-reveals-automobile-security-and-privacy-vulnerabilities

{3} http://www.detroitnews.com/story/business/autos/2015/02/08/report-cars-vulnerable-wireless-hacking/23094215/

Read More:

http://rt.com/uk/207739-hacker-car-driverless-accidents/

http://rt.com/usa/michael-hastings-cyber-car-218/

http://www.rt.com/usa/230655-markey-auto-security-privacy/

Categories: Uncategorized

1.4 million Vehicles Recalled …

… Over Remote Hack Vulnerability

RT.com (July 25 2015)

Just days after hackers demonstrated that they could remotely access Jeep Cherokee’s electronic entertainment system, control cars while engines are running, or even crash one, Fiat Chrysler Automobiles has recalled some 1.4 million vehicles for a software update.

The recall announced on Friday involves a broad range of Dodge, Jeep, Ram and Chrysler cars and trucks manufactured between 2013 and 2015, equipped with touchscreen infotainment radio system, proved to be vulnerable to remote hacking.

“The recall aligns with an ongoing software distribution that insulates connected vehicles from remote manipulation, which, if unauthorized, constitutes criminal action”, said FCA US, the American arm of the Italian auto group, in a statement.

The drivers of the recalled cars will receive a USB device that can be used to update the vehicle’s software. Meanwhile the company says it has already implemented additional security measures wirelessly.

The National Highway Traffic Safety Administration however said it would investigate Fiat’s recall to “better assess the effectiveness of the remedy”.

Earlier this month, two well-known cybersecurity researchers, Charlie Miller and Chris Valasek, showed that merely working from theirs laptops they could compromise the Jeep Cherokee’s electronics via its radio system.

http://www.rt.com/usa/310719-vehicles-hacking-safety-recall/

During the experiment a Wired reporter drove the Jeep Cherokee on a Saint Louis highway at seventy miles an hour – and the hackers from ten miles away took over and changed vehicle’s speed, manipulated the radio and windshield wipers.

“Though I hadn’t touched the dashboard, the vents … started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system”, wrote Andy Greenberg.

Hackers badly frightened Greenberg after they cut the Jeep’s brakes, causing the vehicle to roll into a ditch. As for hijacking the wheel, for now researchers are only able to do it while the vehicle is in reverse.

Interestingly, a Fiat blog entry by Gualberto Ranieri stated the company was aware the hackers were doing ongoing research intentionally hacking Miller’s vehicle over the past year, and that they had communicated with the company about aspects of their work.

“To [the] FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle”, said Ranieri.

Charlie Miller has made a name for himself over the years by exploiting weaknesses in mobile payments technology and cars. Chris Valasek joined Miller in car hacking a couple of years ago. They’ve previously exploited the software of the Escape and the Toyota Prius.

Fiat downplayed the vulnerability of the software hack stressing that it required “unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code”.

Meanwhile the two hackers will present their findings to Defcon in Las Vegas in August.

READ MORE:
http://www.rt.com/usa/230655-markey-auto-security-privacy/
http://www.rt.com/uk/207739-hacker-car-driverless-accidents/

http://www.rt.com/usa/310719-vehicles-hacking-safety-recall/

Categories: Uncategorized
Follow

Get every new post delivered to your Inbox.

Join 32 other followers